Monday, September 1, 2014

Beginning Static Malware Analysis

In the next two post, we will perform some basic malware analysis to learn enough information about a particular .exe to see if we can draw a conclusion, as to what it may be doing. Maybe enough to develop a signature for an IPS/IDS.In this first post, we will focus on static analysis. This is where we will try to learn about the executable without executing it. So without further ado, let's get started.We will use will use the "lab06-02.exe" from "Practical Malware Analysis"Our topology consists of a a WindowsXP box at 10.0.0.101 and a Kali Box at 10.0.0.102.Both of the above are virtual machines running on virtual box, Host Only Mode.If we suspect that a file may be malicious, one of the first things we should do is grab its hash value and compare that against virus total. For my lab I will use md5deep suite of tools to obtain the sha-256 value of this executable.SHA-256C:\Malware Analysis Toolkit\md5deep-4.3>sha256deep.exe c:\malware\Lab06-02.exeb71777edbf21167c96d20ff803cbcb25d24b94b3652db2f286dcd6efd3d8416a c:\malware\Lab06-02.exe

From the above, we see that 4 out of 53 AV engines think this is malicious.

Time to dig a little deeper.Next let's see if there is/are any identifiable strings in this Lab06-02.exe. For this we will use the sysinternals strings utility.C:\Malware Analysis Toolkit\SysinternalsSuite>strings.exe c:\malware\Lab06-02.exe | more

From above, we can see a number of Windows Functions are being called.

One of things that is normally done to allow malware to go undetectable is to pack the .exe file. Let's see if this file is packed in any way using PEiD

From the above, we can say our application is not packed and it was built with Microsoft visual C++ 6.0. In addition, from the subsystem, we can tell it is a Win32 console application as opposed to a GUI application.Let's use the PEView tool to see what else we can learn about this .exe.

One of the things we identify from above is the date the file was created by the linker. Which seems to be 2011/02/02 Wed 21:29:05 UTC

Let's get another perspective from a different tool. This time, let's use dependency walker.

Below is a list of threat intelligence websites that you can use. Cymon.io is an excellent one as it searches around 200 different sources. If you’re looking for a more exhaustive list of threat intel sites, check out https://github.com/rshipp/awesome-malware-analysis